upstream/ipython Files · IPython/utils/ulinecache.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Srinivas Reddy Thatiparthy - - Load All Authors

File last commit:

r23700:8e864e7c


                r28089:991849c2

Download file

             ulinecache.py
        
                    21 lines
            
             | 684 B
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / utils / ulinecache.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Srinivas Reddy Thatiparthy
    
remove python2 code

              r23109
            
      """

        Srinivas Reddy Thatiparthy
    
Add deprecation warnings and message to getlines function

              r23118
            
      This module has been deprecated since IPython 6.0.

        Srinivas Reddy Thatiparthy
    
remove python2 code

              r23109
            
      Wrapper around linecache which decodes files to unicode according to PEP 263.

        Thomas Kluyver
    
Fix getting unicode lines in IPython.core.debugger.

              r8324
            
      """

      import functools

      import linecache

        Srinivas Reddy Thatiparthy
    
Add deprecation warnings and message to getlines function

              r23118
            
      from warnings import warn

        Thomas Kluyver
    
Fix getting unicode lines in IPython.core.debugger.

              r8324
            
        Srinivas Reddy Thatiparthy
    
remove python2 code

              r23109
            
      getline = linecache.getline

        Thomas Kluyver
    
Fix getting unicode lines in IPython.core.debugger.

              r8324
            
        Srinivas Reddy Thatiparthy
    
remove python2 code

              r23109
            
      # getlines has to be looked up at runtime, because doctests monkeypatch it.

      @functools.wraps(linecache.getlines)

      def getlines(filename, module_globals=None):

        Srinivas Reddy Thatiparthy
    
Add deprecation warnings and message to getlines function

              r23118
            
          """

          Deprecated since IPython 6.0

          """

          warn(("`IPython.utils.ulinecache.getlines` is deprecated since"

                " IPython 6.0 and will be removed in future versions."),

               DeprecationWarning, stacklevel=2)

        Srinivas Reddy Thatiparthy
    
remove python2 code

              r23109
            
          return linecache.getlines(filename, module_globals=module_globals)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Srinivas Reddy Thatiparthy remove python2 code	r23109	"""
Srinivas Reddy Thatiparthy Add deprecation warnings and message to getlines function	r23118	This module has been deprecated since IPython 6.0.

Srinivas Reddy Thatiparthy remove python2 code	r23109	Wrapper around linecache which decodes files to unicode according to PEP 263.
Thomas Kluyver Fix getting unicode lines in IPython.core.debugger.	r8324	"""
		import functools
		import linecache
Srinivas Reddy Thatiparthy Add deprecation warnings and message to getlines function	r23118	from warnings import warn
Thomas Kluyver Fix getting unicode lines in IPython.core.debugger.	r8324
Srinivas Reddy Thatiparthy remove python2 code	r23109	getline = linecache.getline
Thomas Kluyver Fix getting unicode lines in IPython.core.debugger.	r8324
Srinivas Reddy Thatiparthy remove python2 code	r23109	# getlines has to be looked up at runtime, because doctests monkeypatch it.
		@functools.wraps(linecache.getlines)
		def getlines(filename, module_globals=None):
Srinivas Reddy Thatiparthy Add deprecation warnings and message to getlines function	r23118	"""
		Deprecated since IPython 6.0
		"""
		warn(("`IPython.utils.ulinecache.getlines` is deprecated since"
		" IPython 6.0 and will be removed in future versions."),
		DeprecationWarning, stacklevel=2)
Srinivas Reddy Thatiparthy remove python2 code	r23109	return linecache.getlines(filename, module_globals=module_globals)